Computer Crime Research Center

Symantec Anti-Virus not so hard, and not alone

A security researcher has uncovered a dangerous weakness in Symantec's antivirus products that could allow malware to corrupt the software and execute malicious programs on the user's computer.

Alex Wheeler, a security researcher who recently left Internet Security Systems' said there is a problem in the way that Symantec's software unwraps RAR files, a form of file compression similar to ZIP files. Wheeler found that a virus or worm hidden inside a specially crafted RAR file could be made to run on the user's machine and allow attackers to take complete control over computers running the program.

Wheeler's advisory notes that if users have configured their Symantec product to automatically scan all incoming e-mail, the vulnerability could be exploited remotely without any action on the part of the user. The advisory also says it is likely this vulnerability affects a substantial portion of Symantec's antivirus products, including its gateway server, a product widely implemented in corporate environments.

This is not the first time we've seen very similarly serious vulnerabilities in antivirus products. This flaw that is very similar to others: including one Wheeler called attention to in February. Other similar flaws this year were found in products from Trend Micro, F-Secure, McAfee and ClamAV.

According to this advisory at SecurityFocus, the vulnerable portion of Symantec's code is also licensed to a substantial number of vendors with products and services that are likely affected.
Original article